C2 Communication
May 1, 2024 ยท View on GitHub
| ID | B0030 |
| Objective(s) | Command and Control |
| Related ATT&CK Techniques | None |
| Version | 2.4 |
| Created | 1 August 2019 |
| Last Modified | 28 April 2024 |
C2 Communication
All command and control malware use implant/controller communication. The methods listed below can be used to capture explicit communication details. Remote file copy behavior is captured separately, as is done in ATT&CK - see Ingress Tool Transfer (E1105).
Command and Control Communication relates to autonomous communications, not explicit, on-demand commands that malware provides to an adversary (such commands should be captured with Remote Commands under the Execution objective).
As "server" and "client" are confusing terminology, we use the terms "controller" and "implant". The controller is the software running on adversary-controlled infrastructure and used to send commands to the implant. The implant is the software running on victim-controlled infrastructure that receives commands from the adversary, executes those commands on the victim, and optionally sends the results back to the adversary.
Methods
| Name | ID | Description |
|---|---|---|
| Authenticate | B0030.011 | Implant may authenticate itself to the controller, controller may authenticate itself to implant, or both. This is often at or near the start of communication. Examples include but are not limited to a simple shared secret (e.g. password), challenge-response with symmetric encryption, or challenge-response with asymmetric encryption. |
| Check for Payload | B0030.005 | An implant may check with the controller for additional payloads or instructions, sometimes at a regular interval. This is also known as beaconing. |
| Directory Listing | B0030.012 | Controller requests a directory listing from the implant, optionally from a given path, optionally recursive. |
| Execute File | B0030.013 | Execute/run/open the file using default operating system functionality, optionally with provided command-and-scripting-interpreter arguments. The file may or may not already exist on the victim. |
| Execute Shell Command | B0030.014 | Execute/run the given command using a built-in program (e.g. cmd.exe, PowerShell, bash). This differs from Start Interactive Shell because the shell process is started only for the received command or set of commands and then exits. There is no loop looking for additional commands while the shell process is still running. |
| File search | B0030.015 | Controller requests the implant to search for a given filename pattern, often a glob. |
| Implant to Controller File Transfer | B0030.004 | File is transferred from implant to controller. |
| Receive Data | B0030.002 | Receive data or command from a controller. |
| Request Command | B0030.008 | Implant requests a command. |
| Request Email Address List | B0030.010 | Request email address list. |
| Request Email Template | B0030.009 | Request email template. |
| Send Data | B0030.001 | Send data to a controller. |
| Send Heartbeat | B0030.007 | Heartbeat sent. |
| Send System Information | B0030.006 | Implant sends system information. |
| Server to Client File Transfer | B0030.003 | File is transferred from controller to implant. |
| Start Interactive Shell | B0030.016 | Starts an interactive shell using a built-in program (e.g. cmd.exe, PowerShell, bash). This is often implemented with polling the network connection from the controller for text commands to redirect to the shell's stdin and polling the shell's stdout and stderr to redirect over the network to the controller. This differs from Execute Shell Command because the shell process runs across multiple iterations of the recv-command(s)-send-result loop. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoWall | 2014 | B0030.001 | The malware sends a hash value generated from system information. [1] |
| CryptoWall | 2014 | B0030.002 | The malware receives a public key from the C2. [1] |
| CryptoLocker | 2013 | B0030.001 | The malware sends a hash value generated from system information. [14] |
| CryptoLocker | 2013 | B0030.002 | The malware receives a public key from the C2. [14] |
| CryptoLocker | 2013 | B0030.011 | The malware sends a phone-home message with encryption to start. [14] |
| GoBotKR | 2019 | B0030.002 | GoBotKR receives data from the C2. [2] [19] |
| Terminator | 2013 | B0030.001 | The malware sends data to the C2. [3] |
| UP007 | 2016 | B0030.001 | The malware sends hardened HTTP headers disguised as Microsoft Update traffic. [4] |
| UP007 | 2016 | B0030.002 | The malware receives payloads. [4] |
| YiSpecter | 2015 | B0030.006 | The malware connects to the C2 server using HTTP to send device information. [5] |
| Ursnif | 2016 | B0030.011 | Ursnif variant Dreambot authenticates and encrypts traffic to the C2 server using TOR. [6] |
| Emotet | 2018 | B0030.010 | New email addresses are collected automatically from the victim's address books. [7] |
| CHOPSTICK | 2015 | B0030.001 | CHOPSTICK sends data to the C2 server using HTTP POST requests. [8] |
| CozyCar | 2010 | -- | CozyCar communicates with a C2 server. [9] |
| EvilBunny | 2011 | -- | EvilBunny communicates C2 via HTTP. [10] |
| Clipminer | 2011 | -- | Clipminer communicates to a Tor Onion Service via HTTP. [11] |
| Matanbuchus | 2021 | B0030.001 | The malware sends collected data about the system to C2 server. [12] [13] |
| Matanbuchus | 2021 | B0030.002 | The C2 server returns Base64 encoded data containing the information about the next command for the loader. [12] [13] |
| Matanbuchus | 2021 | B0030.013 | The payload is run by explorer.exe. [12] [13] |
| Gamut | 2014 | B0030.002 | Gamut receives data from the C2. [15] |
| Gamut | 2014 | B0030.003 | The malware receives files from the C2. [15] |
| GravityRAT | 2018 | B0030.002 | GravityRAT receives data from the C2. [19] |
| Heriplor | 2012 | B0030.002 | Heriplor malware has a capability to connect with a C2 to download arbitrary code. [16] |
| Rombertik | 2015 | B0030.001 | The malware sends data to the C2. [17] [19] |
| Rombertik | 2015 | B0030.002 | The malware receives data from the C2. [19] |
| Hupigon | 2013 | BB0030.001 | The malware sends data to the C2. [19] |
| Hupigon | 2013 | B0030.002 | The malware receives data from the C2. [19] |
| Kovter | 2016 | B0030.001 | The malware sends data to the C2. [19] |
| Kovter | 2016 | B0030.002 | The malware receives data from the C2. [19] |
| SearchAwesome | 2018 | B0030.002 | The malware receives data from the C2 server. [18] |
| ElectroRAT | 2020 | -- | ElectroRat communicates to a Pastebin site via HTTP. [20] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| send data | C2 Communication::Send Data (B0030.001) | -- |
| receive data | C2 Communication::Receive Data (B0030.002) | -- |
| download and write a file | C2 Communication::Server to Client File Transfer (B0030.003) | -- |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| office_cve2017_11882_network | C2 Communication (B0030) | ConnectEx, URLDownloadToFileW |
| internet_dropper | C2 Communication (B0030) | HttpOpenRequestA, InternetConnectA, HttpOpenRequestW, InternetConnectW |
| internet_dropper | C2 Communication::Check for Payload (B0030.005) | HttpOpenRequestA, InternetConnectA, HttpOpenRequestW, InternetConnectW |
| bot_madness | C2 Communication (B0030) | -- |
| bot_drive | C2 Communication (B0030) | -- |
| recon_beacon | C2 Communication (B0030) | HttpOpenRequestA, HttpSendRequestA |
| nemty_network_activity | C2 Communication (B0030) | InternetOpenA, InternetOpenUrlA |
| bot_drive2 | C2 Communication (B0030) | -- |
| bot_dirtjumper | C2 Communication (B0030) | -- |
| bot_athenahttp | C2 Communication (B0030) | -- |
| network_dns_tunneling_request | C2 Communication (B0030) | DnsQuery_A, DnsQuery_W |
| network_questionable_host | C2 Communication (B0030) | -- |
| injection_network_traffic | C2 Communication (B0030) | HttpOpenRequestA, URLDownloadToFileW, HttpOpenRequestW, InternetConnectW, InternetConnectA, connect, InternetCrackUrlW, InternetCrackUrlA, WSASend |
| network_bind | C2 Communication (B0030) | listen, bind |
| network_document_http | C2 Communication (B0030) | URLDownloadToFileW, HttpOpenRequestW, InternetCrackUrlW, InternetCrackUrlA, WSASend, InternetReadFile |
| network_country_distribution | C2 Communication (B0030) | -- |
| banker_zeus_url | C2 Communication (B0030) | -- |
| network_dyndns | C2 Communication (B0030) | -- |
| script_network_activity | C2 Communication (B0030) | URLDownloadToFileW, HttpOpenRequestW, send, WSAConnect, InternetCrackUrlW, InternetCrackUrlA, SslEncryptPacket, InternetReadFile |
Code Snippets
B0030.002 Snippet
C2 Communication::Receive Data
SHA256: 304f533ce9ea4a9ee5c19bc81c49838857c63469e26023f330823c3240ee4e0asm loc_401981 mov ecx, s mov edx, edi sub edx, esi push 0 ; flags lea eax, [esi+ebx] push edx ;len push eax ;buf push ecx ;s call recv jmp short loc_4019A2
References
[1] https://news.sophos.com/en-us/2015/12/17/the-current-state-of-ransomware-cryptowall/
[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[3] https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/FireEye-Terminator_RAT.pdf
[4] https://citizenlab.ca/2016/04/between-hong-kong-and-burma/
[5] https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/
[6] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
[7] https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/
[8] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[9] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke
[10] https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/
[11] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
[12] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[13] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader
[14] https://www.secureworks.com/research/cryptolocker-ransomware
[15] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/
[16] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_heriplor.a
[17] https://blogs.cisco.com/security/talos/rombertik
[18] https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection
[19] capa v4.0, analyzed at MITRE on 10/12/2022
[20] https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/